How fraudsters exploit loopholes in OPay, PalmPay to hijack identities

·
December 15, 2023
·
3 min read
PalmPay and OPay

UPDATE Monday, December 18, 2023: Following the content of this story, Opay and PalmPay have disabled the verify with bank account feature that allowed for the loophole discussed in the article below. However, it's still important to keep safe and protect your banking information online.

OPay and PalmPay accounts are being fraudulently opened using the identities of unsuspecting individuals. Recent incidents across Nigeria confirm that you can open OPay or PalmPay accounts with anybody's name, and we may have found out how.

Firstly, let's get some context.

I've been seeing glimpses of this issue but could not confirm until my elderly neighbour fell victim. Her phone was stolen and fraudsters hijacked her identity, siphoning over ₦100,000 from her friends using OPay accounts created with her full legal name.

Advertisement

Initially, we were confused. How could accounts bearing her full legal name be opened without her Bank Verification Number (BVN) or National Identity Number (NIN)? While OPay promptly blocked the fraudulent accounts when we notified them, they remained silent on how such a breach could occur in the first place.

Things were about to get even weirder.

The scam escalated, targeting high-profile individuals like tech CEOs like Adewale Yusuf of AltSchool Africa and Techpoint Africa, Dr Neto Ikpeme of Wellahealth, and Abimbola Adebakin of Advantage Health Africa. I too received a fraudulent message, ostensibly from Adewale Yusuf, requesting urgent funds through OPay and PalmPay accounts.

How is this happening?

Our investigation unveiled a disturbing loophole in OPay's account creation process.

Besides the standard NIN/BVN verification, OPay offers a third, laxer method -- Verify with bank account. This backdoor permits fraudsters to easily manipulate the system using just a phone number, facial recognition, and any name and address, facilitating identity theft with alarming ease.

Don't miss out on Africa's financial revolution

Keep up with the rapid pace of innovation in Africa's fintech landscape with Fintech Today. Designed for quick consumption, our exclusive newsletter, trusted by over 1,000 industry leaders, delivers the latest insights, trends, and breakthroughs right to your inbox.
Fintech Today

Give it a try, you can unsubscribe anytime. Privacy Policy.

Here's how it works: You get a phone number, any phone number, and the bank account details of anyone. To spice things up, you could choose someone of a different gender. Opay asks you to enter account details and asks for a name that matches what's on the account. Then you do facial recognition that seemingly doesn't test if your face matches what's registered to the account you used.

We saw a video circulating online of a man opening an OPay account with the name of a popular actress, Bimbo Ademoye. We decided to test this, and I seamlessly opened an OPay account with a friend's phone number and my commercial bank account details. Even though I already have an OPay account registered with my BVN details.

Please note that my specific example might not be the best, but the idea is that the feature allows you to create a Tier 1 Opay account with any bank details of your choosing.

If you've dropped your account number anywhere on the Internet, for giveaways or a business transaction, you might already be at risk of this loophole.

PalmPay, also has this "verify with bank accounts" feature, but it didn't work when we tried it. Surprisingly, you can open a PalmPay account with any name without any verification whatsoever. This allows you to perform up to ₦50,000 in transactions.

Wider implications

These incidents are symptomatic of a growing financial fraud epidemic in Nigeria, with banks and individuals losing billions of Naira. The NIBSS has raised concerns over unlicensed financial services companies masquerading as deposit-taking institutions, reflecting increased regulatory scrutiny over fintech operations​​.

The NIBSS circular was quite vague, as it left room for varying interpretations. However, we must point out that OPay and PalmPay are, indeed, licensed deposit-taking financial institutions. The NIBSS circular was intended to weed out actual bad actors that went beyond the scope of their licenses, so we can fully spotlight the issues with the actual licensed companies.

While the CBN has mandated the use of NIN for all tier 1 wallets and bank accounts, the effectiveness of these measures remains to be seen.

The rise of digital payments has unfortunately increased the potential for fraud, as highlighted by PalmPay. Late reporting of fraud has been cited as a key factor in the low recovery of stolen funds​​.

As this investigation into the fraudulent activities involving OPay and PalmPay unfolds, a crucial question lingers: Is the Central Bank of Nigeria (CBN) aware of these specific vulnerabilities, and if so, what actions are being taken?

This is a developing story: See the latest update below.

Journalist feasting on tech, business, and policies. Looking to chat? Catch up with me, @eruskkii, on Twitter or send a mail to [email protected]
Journalist feasting on tech, business, and policies. Looking to chat? Catch up with me, @eruskkii, on Twitter or send a mail to [email protected]
Subscribe To Techpoint Digest
Join thousands of subscribers to receive our fun week-daily 5-minute roundup of happenings in African and global tech, directly in your inbox, hours before everyone else.
This is A daily 5-minute roundup of happenings in African and global tech, sent directly to your email inbox, between 5 a.m. and 7 a.m (WAT) every week day! 
Digest Subscription

Give it a try, you can unsubscribe anytime. Privacy Policy.

Journalist feasting on tech, business, and policies. Looking to chat? Catch up with me, @eruskkii, on Twitter or send a mail to [email protected]

Other Stories

43b, Emina Cres, Allen, Ikeja.

 Techpremier Media Limited. All rights reserved
magnifier